[ruby-core:115742] [Ruby master Bug#20050] Segfault on Ruby 3.2.2 (and 3.1) on x86_64 Darwin 20 (rb_id_table_lookup for #hash)

["mame (Yusuke Endoh) via ruby-core" <ruby-core@ml.ruby-lang.org>]

Issue #20050 has been updated by mame (Yusuke Endoh).


I'm not sure if this is really the same problem, but I was able to segfault with the following code.

```ruby
srand(0)

class Foo
  def to_a
    []
  end

  def hash
    $h.delete($h.keys.sample) if rand < 0.1
    to_a.hash
  end
end

GC.stress = true
100.times do
  $h = {}
  (0..10).each {|i| $h[Foo.new] ||= {} }
end
```

```
t.rb:17: [BUG] Segmentation fault at 0x0000000000000034
ruby 3.3.0dev (2023-12-14T08:39:42Z master e51f9e9f75) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0007 p:---- s:0029 e:000028 CFUNC  :hash
c:0006 p:0021 s:0026 e:000021 BLOCK  ../t.rb:17 [FINISH]
c:0005 p:---- s:0018 e:000017 CFUNC  :each
c:0004 p:0009 s:0014 e:000013 BLOCK  ../t.rb:17
c:0003 p:0025 s:0011 e:000010 METHOD <internal:numeric>:237
c:0002 p:0025 s:0006 e:000005 EVAL   ../t.rb:15 [FINISH]
c:0001 p:0000 s:0003 E:001dd0 DUMMY  [FINISH]

-- Ruby level backtrace information ----------------------------------------
../t.rb:15:in `<main>'
<internal:numeric>:237:in `times'
../t.rb:17:in `block in <main>'
../t.rb:17:in `each'
../t.rb:17:in `block (2 levels) in <main>'
../t.rb:17:in `hash'

-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1

-- Machine register context ------------------------------------------------
 RIP: 0x0000564aa444d3ab RBP: 0x00007f48494e4b00 RSP: 0x00007fffa788b410
 RAX: 0x0000000000000000 RBX: 0x0000564aa6749e40 RCX: 0x0000564aa444d370
 RDX: 0x0000000000000000 RDI: 0x0000000000000024 RSI: 0x0000000000000000
  R8: 0x0000000000000ac1  R9: 0x00007f48494e4b00 R10: 0x0000000000000000
 R11: 0x0000000000000024 R12: 0x0000564aa6709580 R13: 0x0000564aa6709580
 R14: 0x00007f48495feec0 R15: 0x0000000000000000 EFL: 0x0000000000010293

-- C level backtrace information -------------------------------------------
/home/mame/work/ruby/miniruby(rb_print_backtrace+0x14) [0x564aa4585a94] /home/mame/work/ruby/vm_dump.c:820
/home/mame/work/ruby/miniruby(rb_vm_bugreport) /home/mame/work/ruby/vm_dump.c:1151
/home/mame/work/ruby/miniruby(rb_bug_for_fatal_signal+0x14c) [0x564aa43bd4dc] /home/mame/work/ruby/error.c:1065
/home/mame/work/ruby/miniruby(sigsegv+0x53) [0x564aa44e6633] /home/mame/work/ruby/signal.c:920
/lib/x86_64-linux-gnu/libc.so.6(0x7f4849a42910) [0x7f4849a42910]
./miniruby(rb_float_noflonum_value+0x0) [0x564aa444d3ab]
/home/mame/work/ruby/miniruby(rb_float_flonum_value) ./internal/numeric.h:240
/home/mame/work/ruby/miniruby(rb_float_value_inline) ./internal/numeric.h:238
/home/mame/work/ruby/miniruby(flo_hash) /home/mame/work/ruby/numeric.c:1652
/home/mame/work/ruby/miniruby(vm_call0_cfunc_with_frame+0xca) [0x564aa457e356] ./vm_eval.c:173
/home/mame/work/ruby/miniruby(vm_call0_cfunc) ./vm_eval.c:187
/home/mame/work/ruby/miniruby(vm_call0_body) ./vm_eval.c:233
/home/mame/work/ruby/miniruby(rb_funcallv+0x212) [0x564aa4564902] ./vm_eval.c:110
/home/mame/work/ruby/miniruby(vm_catch_protect+0xfe) [0x564aa456a91e] ./vm_eval.c:2369
/home/mame/work/ruby/miniruby(exec_recursive+0x216) [0x564aa4529e76] /home/mame/work/ruby/thread.c:5179
/home/mame/work/ruby/miniruby(obj_any_hash+0x56) [0x564aa43f2486] /home/mame/work/ruby/hash.c:218
/home/mame/work/ruby/miniruby(any_hash+0x4c) [0x564aa43f239c] /home/mame/work/ruby/hash.c:203
/home/mame/work/ruby/miniruby(do_hash+0x6) [0x564aa44ee2d8] /home/mame/work/ruby/st.c:320
/home/mame/work/ruby/miniruby(rb_st_add_direct) /home/mame/work/ruby/st.c:1183
/home/mame/work/ruby/miniruby(ar_try_convert_table+0xbf) [0x564aa43f35df] /home/mame/work/ruby/hash.c:714
/home/mame/work/ruby/miniruby(RHASH_ST_TABLE+0x0) [0x564aa43f456e] /home/mame/work/ruby/hash.c:1641
/home/mame/work/ruby/miniruby(rb_hash_stlike_update) /home/mame/work/ruby/hash.c:1648
/home/mame/work/ruby/miniruby(tbl_update) /home/mame/work/ruby/hash.c:1689
./miniruby(rb_hash_aset+0xa7) [0x564aa43f44f7]
/home/mame/work/ruby/miniruby(vm_exec_core+0x5708) [0x564aa4560098] ./vm_insnhelper.c:6328
/home/mame/work/ruby/miniruby(vm_exec_loop+0x0) [0x564aa45598ad] /home/mame/work/ruby/vm.c:2486
/home/mame/work/ruby/miniruby(rb_vm_exec) /home/mame/work/ruby/vm.c:2489
./miniruby(invoke_block_from_c_bh+0x469) [0x564aa4580439]
/home/mame/work/ruby/miniruby(vm_yield_with_cref+0x46) [0x564aa45686f5] /home/mame/work/ruby/vm.c:1634
/home/mame/work/ruby/miniruby(vm_yield) /home/mame/work/ruby/vm.c:1642
/home/mame/work/ruby/miniruby(rb_yield_0) ./vm_eval.c:1366
/home/mame/work/ruby/miniruby(rb_yield) ./vm_eval.c:1382
/home/mame/work/ruby/miniruby(range_each_fixnum_loop+0x32) [0x564aa44a1df8] /home/mame/work/ruby/range.c:911
/home/mame/work/ruby/miniruby(range_each) /home/mame/work/ruby/range.c:948
/home/mame/work/ruby/miniruby(vm_call_cfunc_with_frame_+0xf4) [0x564aa4578574] ./vm_insnhelper.c:3490
/home/mame/work/ruby/miniruby(vm_sendish+0xd6) [0x564aa455cd2b] ./vm_insnhelper.c:5581
/home/mame/work/ruby/miniruby(vm_exec_core) /home/mame/work/ruby/insns.def:814
/home/mame/work/ruby/miniruby(vm_exec_loop+0x0) [0x564aa45598ad] /home/mame/work/ruby/vm.c:2486
/home/mame/work/ruby/miniruby(rb_vm_exec) /home/mame/work/ruby/vm.c:2489
/home/mame/work/ruby/miniruby(rb_ec_exec_node+0x2b) [0x564aa43c985b] /home/mame/work/ruby/eval.c:287
/home/mame/work/ruby/miniruby(ruby_run_node) /home/mame/work/ruby/eval.c:328
/home/mame/work/ruby/miniruby(rb_main+0x1c) [0x564aa4318605] ./main.c:39
/home/mame/work/ruby/miniruby(main) ./main.c:58
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x7f4849a280d0] ../sysdeps/nptl/libc_start_call_main.h:58
/lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x7f4849a28189] ../csu/libc-start.c:360
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:347
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0
[0x564aa43184c5]
```

@martinemde Question to confirm if this is the same problem as yours: Does bundler access the hash in question ([Bundler::Checksum::Store's @store](https://github.com/rubygems/rubygems/commit/34d6c6c72f6099c83860d81b9810d0b1441d802d#diff-63b5dabde4934e1fdd1bf24aea2b5bcfa5c4c3bbcf28112bc10e46cb4a73c30aL167)) from multiple threads in parallel?

The problem I found occurs when a Hash is updated from another thread while `ar_try_convert_table` is converting the internal representation of the hash. Since the key implements `#hash` method in Ruby, I think a context switch is possible during the conversion of `ar_try_convert_table`.

----------------------------------------
Bug #20050: Segfault on Ruby 3.2.2 (and 3.1) on x86_64 Darwin 20 (rb_id_table_lookup for #hash)
https://bugs.ruby-lang.org/issues/20050#change-105675

* Author: martinemde (Martin Emde)
* Status: Open
* Priority: Normal
* ruby -v: ruby 3.2.2 (2023-03-30 revision e51014f9c0) [x86_64-darwin20]
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
----------------------------------------
Hi,

In the rubygems & bundler repositories we've now had two segfaults in the same exact code within days of merging a change to that code, both on ruby 3.2.2 on darwin20.

1. https://github.com/rubygems/rubygems/actions/runs/7110489973/job/19357067789?pr=7129
2. https://github.com/rubygems/rubygems/actions/runs/7131889001/job/19421304163?pr=7228

The specific error seems to happen when calculating the hash of the array in Gem::NameTuple#hash. The array contents that is being `.hash`ed both times should be exactly: `["has_metadata", "1.0", "ruby"]`. If I'm reading this correctly, this indicates that the crash is related either to creating this hash or storing this hash in the hash table (I'm not quite sure which is triggering the crash).

An excerpt of the C backtrace shows the same backtrace for both crashes:

```
       -- C level backtrace information -------------------------------------------
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_vm_bugreport+0x7c4) [0x10cb0f994]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_bug_for_fatal_signal+0x1d0) [0x10c9158c0]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(sigsegv+0x5b) [0x10ca609ab]
       /usr/lib/system/libsystem_platform.dylib(_sigtramp+0x1d) [0x7ff810c14dfd]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_id_table_lookup+0x16) [0x10caa2a56]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(callable_method_entry_or_negative+0x5e) [0x10cae9c8e]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_check_funcall_basic_kw+0x129) [0x10caf0039]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(obj_any_hash+0x3c) [0x10c94bd2c]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(any_hash+0x52) [0x10c94bc12]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_st_add_direct+0x1d) [0x10ca69b7d]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(ar_try_convert_table+0x85) [0x10c94d015]
       /Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_hash_aset+0x18f) [0x10c94e26f]
```

I'm not sure how to follow this instruction in this case on GitHub actions: "Don't forget to include the Crash Report log file under DiagnosticReports directory in bug reports."

I have not been able to reproduce this locally with the same version of ruby (but I'm on darwin22 instead of 20). I will follow up if we continue to see this same crash.



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/